Kaseya may signal worrying new phase in cyberattacks

The recent Kaseya ransomware attack could signal the start of a new wave of larger, more sophisticated cyberattacks, according to CyberCube.

The attack, attributed to REvil, targeted as many as 1,500 companies with ransomware after hackers exploited a vulnerability in software provided to managed service providers by US information technology firm Kaseya. The cyber gang infiltrated Kaseya’s systems to target the end customers of its technology company clients, which use Kaseya’s software to monitor and manage IT networks of thousands of businesses.

The attack is one of the largest since the NotPetya malware attack in 2017, which bought down the systems of shipping firm Maersk and food manufacturer Mondelez. The Kaseya incident is also concerning because it combines two potent forms of threat – ransomware and supply chain attacks –  Oliver Brew, head of client success at CyberCube told Commercial Risk Europe.

“The Kaseya attack brings together a number of themes we have been seeing, including [IT and technology] supply chain cyberattacks, such as with the SolarWinds attack and Microsoft Exchange vulnerabilities. We are now seeing the fragility of IT supply chains combine with the devastating financial-motivated and organised criminal element of cyber gangs. This combination could prove significant for the systemic implications for companies right across the economy,” said Mr Brew.

“This is simple economies of scale. Ransomware gangs now realise that they can use common access or touchpoints to attack multiple companies at the same time. It’s a game of numbers. One successful attack against a supply chain provider compared with navigating the cybersecurity of individual firms,” he said.

The combination of ransomware and supply chain attacks presents a further challenge to business and the cyber insurance market, which are already smarting from a big increase in ransomware losses during the past 18 months or so.

According to insurance broker Howden, cyber insurance rates increased 32% in the first half of 2021, following a 170% increase in ransomware attacks last year and a 400% jump in the average ransom demand. Insurers have also reduced available limits and introduced co-insurance for ransomware.

The gang behind the Kaseya attack reportedly made ransom demands of $50,000 to $500,000 from individual firms, although it demanded $70m, later reduced to $50m, to restore all the affected businesses’ data. A ransom payment of $100m within the next two years is conceivable, Mr Brew said.

Ransomware attacks have been growing in sophistication and are becoming more targeted. Double-extortion attacks where hackers also copy data to use for future extortion first appeared in 2019 and gained popularity in 2020, said CyberCube. Criminals are also starting to modify target companies’ data as part of extortion attempts. These attacks are likely to become increasingly prevalent in the next few years and focus on sectors utilising sensitive data such as healthcare and financial services, CyberCube predicts.

The cyber risk experts previously warned about cyber criminals’ growing interest in “single points of failure” across IT and technology supply chains. These attacks, like Kaseya, target services common to many thousands or millions of users and have the potential to affect large swathes of businesses. “The Kaseya attack does raise some important questions around companies’ understanding of digital supply chains and how they build resilience,” said Mr Brew.

In particular, supply chain attacks raise the spectre of large systemic cyber loss events, whereby one attack impacts thousands of organisations within a sector, a region or worldwide. Nation states that harbour, or even support, these groups and carry out attacks themselves, are compounding the problem of cyber gangs, according to Mr Brew.

As cyberattacks increase, demand for cyber insurance has been on the rise. However, the challenge for the insurance industry is to understand the changing nature of expanding cyber exposures, and then produce products that will serve the needs of business, said Mr Brew.

“Connections between companies and technology dependencies are a challenge and add additional complexity to understand these risks. Ransomware has come to dominate the cyber insurance industry and there is a rapidly growing awareness of the potential for aggregation risk to become an existential risk,” he added.

The Colonial Pipeline attack also highlights another potential risk on the horizon if cyber gangs turn their attention to the Internet of Things (iIoT), explained Mr Brew. “The Colonial attack – which included a physical element – could be a portent of things to come. IoT is inherently vulnerable and security is less robust, and the consequences of an attack could be more significant,” he said.

The Colonial Pipeline ransomware attack in May, which saw the company pay a $5m ransom, is thought to be the work of criminal gang DarkSide, which is based in eastern Europe and Russia. Suspected Russia-based hacking group REvil has claimed responsibility for the Kaseya ransomware attack, along with a string of others. Such attacks increasingly prompt a response from authorities. President Biden signed an executive order to strengthen cyber security following the Colonial Pipeline attack.

As ransomware and cyberattacks against critical infrastructure and businesses more generally grow, cyber security requirements and regulation are likely to increase, according to Mr Brew. The payment of ransomware demands is already under growing scrutiny, with the belief it fuels the problem. “Ransomware is becoming a political issue and there will be more regulation. For example, the National Cyber Security Centre (NCSC) increasingly plays a role in developing legislation in the UK,” he said.

Back to top button